Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1443435 - (CVE-2017-6181) CVE-2017-6181 ruby: Stack overflow in parse_char_class() in Onigmo
CVE-2017-6181 ruby: Stack overflow in parse_char_class() in Onigmo
Status: CLOSED WONTFIX
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20170220,repor...
: Security
Depends On:
Blocks: 1443436
  Show dependency treegraph
 
Reported: 2017-04-19 05:17 EDT by Adam Mariš
Modified: 2017-05-16 08:26 EDT (History)
32 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
An unbounded recursion flaw was found in the way Ruby handled regular expressions. A specially crafted regular expression could be used by an attacker to crash an Ruby application processing such crafted input.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-05-16 04:28:55 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Adam Mariš 2017-04-19 05:17:00 EDT 
The parse_char_class function in regparse.c in the Onigmo (aka
Oniguruma-mod) regular expression library, as used in Ruby 2.4.0,
allows remote attackers to cause a denial of service (deep recursion
and application crash) via a crafted regular expression.

Upstream issue:

https://bugs.ruby-lang.org/issues/13234

Upstream patch:

https://github.com/ruby/ruby/commit/ea940cc4dcff8d6c3
Comment 2 Mamoru TASAKA 2017-04-20 00:23:13 EDT 
(In reply to Mamoru TASAKA from comment #1)
> This also affects oniguruma:
> https://github.com/kkos/oniguruma/commit/
> 9c85daa6b400157ee5b2be2cf5be87a031e4fd49#diff-
> d62ce585dc91a8f833f07e586f874814

The affected code was introduced by this;
https://github.com/kkos/oniguruma/commit/6b68ebe8360adefe45be94ed0dbf13a9aa9023ef

So does not affect on origuruma 6.1.3, 5.9.2. All versions of oniguruma shipped on Fedora are not affected by this.
Comment 4 Dhiru Kholia 2017-05-16 04:24:47 EDT 
Statement:

Red Hat Product Security has rated this issue as having Moderate security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.